UNM4SK3D: NiceHash, Android, and TeamViewer

Begin Learning Cyber Security for FREE Now!

#hacked

Bitcoin buyers beware. While the price of the popular cryptocurrency just crossed the $14,800 mark in less than 24 hours, that has made it an even more attractive target for hackers. One site, NiceHash, the largest Bitcoin mining marketplace, has recently fallen victim to hacking.

For those unfamiliar, NiceHash is a “cloud-based crypto-mining marketplace that connects people from all over the world to rent out their spare computing power to other in order to create new coins.” Shockingly, the NiceHas hacking resulted in the theft of more than 4,700 Bitcoins worth over $57 million, a value which only continued to rise since the hack occurred. It is estimated the value of the stolen Bitcoin is now at around $70 million. The breach was first discovered when users noticed their wallets had been emptied. Later, NiceHash confirmed there had been a breach after its service went offline claiming to be ‘undergoing maintenance.’ While the company did not provide further details, they did pause their operations for over 24 hours while they figured out exactly how many numbers of BTC were swiped from its website and how it was taken.

Unfortunately for users, there are still more questions than answers. And, with a currency that does not fall under regulation, it is hard to say what this will mean for those who lost their money. Following the breach, NiceHash has recommended its customers change their passwords on both NiceHash and other services if they are using the same credentials. In related news, a Federal district court in California ordered Coinbase to turn over three years worth of identifying records on more than 14,000 of its customers to the Internal Revenue Service (IRS). According to the IRS petition, most Coinbase users “have not been or may not be complying with US internal revenue laws requiring the reporting of taxable income from virtual-currency transactions.” This, as you may have guessed, is a major strike against one of the big draws of cryptocurrency: anonymity.

We understand that you will have a lot of questions, and we ask for patience and understanding while we investigate the causes and find the appropriate solutions for the future of the service. We will endeavor to update you at regular intervals. -NiceHash

For the details on previous cryptocurrency breaches, read this edition of ‘UNM4SK3D.’

First identified by the Check Point Research Team, the POC of the attack is being called ‘ParseDroid,’ which resides in a popular XML parsing library ‘DocumentBuilderFactory.’ This tool is used by the most common Android Integrated Development Environments (IDEs) like Google’s Android Studio, JetBrains’ IntelliJ IDEA and Eclipse, as well as the major reverse engineering tools for Android apps such as APKTool and Cuckoo-Droid. This vulnerability is triggered when a vulnerable Android development or reverse engineering tool “decodes an application and tries to parse the maliciously crafted ‘AndroidManifest.xml’ file inside it.” In a proof of concept developed by Check Point, it is demonstrated how a malicious actor could create a malicious library that would be attractive to a developer-targeted in an attack, starting by uploading the bad code library to public repository.

Once it is uploaded, the hackers manipulate the ranking of their malicious library, increasing the odds the targeted developer will use its malicious library as part of an application under their development. If the malicious library is used, the attacker can gain control of both the integrated developer environment, as well as the developer’s computer. What makes this vulnerability especially dangerous is that it can also be used to “inject arbitrary files anywhere on a targeted computer to achieve full remote code execution (RCE).” While this is not the first time malicious libraries have been planted on repositories, this vulnerability is especially dangerous because the code associated with a ‘ParseDroid’ attack is not being analyzed by repositories.

The way we chose to demonstrate this vulnerability, of course, is just one of many possible attack methods that can be used to achieve full RCE. Indeed, the Path Traversal method lets us copy any file to any location on the file system, making the attack surface-wide and various. -Check Point Researchers

#hijacked

TeamViewer users beware. A POC published by a Reddit user ‘xpl0yt’ showed a critical TeamViewer vulnerability that could allow users sharing a desktop session to gain complete control of the other user’s PC without permission.

As a refresher, TeamViewer is a popular remote-support software that lets you securely share your desktop or take full control of other’s PCs. ‘xployt’ demonstrates an injectable C++ DLL, which leverages “naked inline hooking and direct memory modification to change TeamViewer permissions.” This allows an attacker to gain control of the presenter’s session or the viewer’s session without permission, making it possible to control the mouse of the presenter’s computer regardless of what settings or permissions the presenter may have set. It also opens up the possibility of easily weaponizing the bug to disable a host’s visual input and force the targeted computer screen go black, hiding malicious activity.

After initial discovery, the bug was confirmed by TeamViewer who began working on a patch. Impacting Windows, macOS and Linux versions of TeamViewer, the fix was first released for Windows, followed by the other OS. Patches will be delivered automatically to the customers who have configured TeamViewer to accept automatic updates. Be advised, however, that patches could take up to three to seven days before the update is installed. We encourage users to remain vigilant on cyber security news, as new vulnerabilities surface daily.

Exploited as a presenter you are able to turn on a ‘switch sides’ feature (that usually needs the client to agree to) and change controls and sides, controlling a viewer’s computer. If exploited as a viewer, you are able to control the mouse of the presenter’s computer no matter what settings or permissions the presenter may have had set. -TJ Nelson, security researcher with Arbor Networks

#factbyte

According to new research by Venafi, 69% of respondents from the financial services industry admit they do not actively rotate SSH keys, even when an administrator leaves their organization.

Olivia Lynch (@Cybrary_Olivia) is the Marketing & Communications Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.